hacking the editor

12-30-2005, 11:04 AM	#1
Vexorian	Can anyone with some known skills make a hack to the editor so when you use [test map] iit opens the map using -window (it already uses -loadfile) I think it would be knowing the address of the loadfile and adding -window edit: noted that -window must be before -loadfile

12-30-2005, 02:10 PM	#2
Xeth-Ban	hacking the editor...... sound kinda illegal actualy, lol :p

12-30-2005, 03:46 PM	#3
StealthFox	Do you mean making it open Warcraft III in a window with the test map?

12-30-2005, 03:49 PM

Vexorian

Yeah, I currently have to forget about the test map button and just save the map then find the folder and use the special w3x type association I made to make it open windowed if that could happen with just pressing the button would help me a lot.

I do this because when you use a resolution bigger than 1024×768 windowed mode takes a lot less time to load than full screen mode.

Xeth-Ban : My optimizer broke the EULA 100 times already so I don't care

12-30-2005, 04:16 PM	#5
Zoxc	Did a search for it in memory... no result ... where is my hex editor .... Idea for a contest: Make a program that brakes the EULA most times ^^ Another way to do this might be to replace war3.exe with our own that send the param to a copy of war3.exe and ads -window if its not there.

12-31-2005, 04:23 PM

PitzerMike

Here's a stupid patch for the editor that allows you to specify command line parameters for the test map button.

Simply enter -window -loadmap in the textbox and hit the patch button. Another useful option could be -opengl
The -loadmap option has to be the last option in the list.
You'll find all other available arguments in the following thread:

http://www.wc3campaigns.com/showthread.php?t=41980

Maybe we could add this option to the NoLimits patch in future versions.

Attached Files

WindowHack.zip (8.2 KB)

12-31-2005, 05:54 PM	#7
Blade.dk	That is pretty useful, and now I also know that Warcraft 3 can be runned in windowed mode normally. Very helpful, good job.

12-31-2005, 06:12 PM	#8
Vexorian	Did you make it pitzermike? would like the source (would want to make an automatic one)

12-31-2005, 06:13 PM	#9
Zoxc	And I'd like to know how you found address ^^

12-31-2005, 09:42 PM	#10
PitzerMike	Yes, I made it. I'll post both, the source code and an explanation how I found the addresses tomorrow. A happy new year everyone :)

12-31-2005, 11:16 PM	#11
Blade.dk	Happy new year!

01-01-2006, 03:00 PM

#12

PitzerMike

First you will need a decent disassembler, I'm using IDA Pro 4.8. Although I only have an evaluation version it is the best disassembler I know, and the demo version works well enough for what we are doing.
So first we have to load worldedit.exe in the disassembler which will take a few seconds.
If it asks you for dll files linked to the exe simply press the cancel button, we don't need them.
Now if we activate the "Strings" tab and do a search for -loadfile the second result will be exactly what we were looking for, double click the string you found and it will automatically jump to the place where the string is defined in the executable (0x007BDA9C).
Now we could simply overwrite the -loadfile string in memory with our custom parameters but unfortunately -window -loadfile would take more space than available, because we can't simply overwrite the next string without causing side effects.
So what I did was searching for a different, longer string that would be safe to overwrite. I decided to abuse "Warcraft III Game Application" just 2 strings above our other string at 0x007BDA60, it seemed to be the window title of the launched Warcraft 3 instance or something similar. Anyway this would give us 32 bytes for our custom parameter list (including the terminating 0), which seemed to be enough.
No we just have to make the editor use this string instead of the -loadfile string at the other address, so I again double clicked the -loadfile string to jump to where it was defined.
In the IDA View tab we can see 2 XREFs to this string (these are basically places where the string is used)
By clicking on the arrow at the very right of an XREF you can jump to the appropriate offset, now if we click the arrow of the first XREF we come to a snippet of code that looks very promising, we see that at 0x004D7B50 the string from the address we found before is loaded and concatenated, this is most likely what we were looking for.
If you now switch to the Hex view you can see that the address is referenced in reverse byte order at 0x004D7B50 and that the new address only differs in the first byte, our patch simply has to replace 0x9C by 0x60 in order to point to the new string.
Besides fixing this pointer our patch only has to overwrite the "Warcraft III Game Application" string with our command line arguments like " -window -loadfile ".
That was all we needed to know, the rest can be found in the source code I provided. Even if you don't have visual Studio 6 you can open frmmain.frm and CProc.cls with a text editor and look at the really simply code. Most of it is simple Win API functions.

Attached Files

WindowHack_Src.rar (3.6 KB)

01-01-2006, 03:18 PM	#13
Zoxc	I used SoftICE to disassemble worldedit.exe ^^ Found the string, but... to short for me so I didn't know what to do then. ________ Who will make a automatic version first... Me or Vex ? ^^ (I'm working on a MPQ editor so I think Vex win :'( )

01-02-2006, 12:18 AM	#14
BlacKDicK	You could also add a new section to the executable and then add the new string to it, without messing up with the other string. Of course it would require a RVA calculator to calculate the virtual offset based on the physical offset.

01-02-2006, 12:23 AM

#15

PitzerMike

Quote:

Originally Posted by BlacKDicK

You could also add a new section to the executable ...

If you mean by physically changing the executable, that wouldn't work in this case as starting the editor would then fail because of the copy protection.